4

I'm writing a Ruby application that will need to handle a user's enterprise password. I'd like to minimize the time the password is in memory to reduce the likelihood of the password being exposed.

In a native language, I would directly erase the data. In C#, I would use the SecureString class. In Java, I'd use char[]. But the best that I can find for Ruby is an old feature request that seems dead.

What is the standard for securely storing and erasing passwords from memory in Ruby? Is there a class that does this? A coding pattern similar to the char[] of Java?

Neil Smithline
  • 1,526
  • 9
  • 21
  • Ultimately this is a lost cause as you have no control over what data is stored in L1, L2, L3 caches or the registers themselves. Those that think they can expunge it from system memory are often mistaken, the operating system might be remapping memory without their knowledge and leaving traces of their data. If you need absolute security then use an authentication mechanism that doesn't require your application having the bare password. Mechanisms like LDAP or Oauth offload this responsibility completely. – tadman Jun 08 '16 at 23:25
  • @tadman Fair enough. I'm still interested in hearing if there are common patterns that people use – Neil Smithline Jun 08 '16 at 23:35
  • You might want to look at [how people handle cryptographic private keys](http://stackoverflow.com/questions/1263350/cryptography-best-practices-for-keys-in-memory) which is usually a far more serious problem than passwords. The solutions are often extremely complicated and expensive. Basically if you can't trust your hardware's secure, don't place any trust in your hardware and avoid accepting the password in the first place. Use a different authentication mechanism. Scrubbing in memory limits your risk, it doesn't eliminate it. – tadman Jun 09 '16 at 01:07
  • @tadman good idea about keys. I'll research that. And it's not that I don't trust the hardware, I'm mostly concerned about a core dump or something storing the password in the file system in clear text. I certainly understand that there are still potential leaks (eg: can't be certain that the password is not left on the disk used for swapping). But if I can be more secure with just a bit of extra effort, that may be worth it – Neil Smithline Jun 09 '16 at 01:16
  • If you're concerned about this, I'd bring it up somewhere you can get expert attention and perhaps have a gem made to accommodate these needs. It sounds like quite an engineering task to do right, and anything less than nailing it sounds like a whole lot of paranoia for very little gain. – tadman Jun 09 '16 at 05:05

1 Answers1

1

A ruby issue exists for 5 years now (5741), regarding secure erasure of secrets from memory. That issue contains also some links which explain, why it is a good thing to erase passwords from memory. Lately MacOs did have an issue with FileVault2, because the password was stored within memory.

One possible solution shown within issue 5741 is:

pass = ""
$stdin.sysread(256, pass) # assuming a line-buffered terminal
io = StringIO.new("\0" * pass.bytesize)
io.read(pass.bytesize, pass)

It seems to work with ruby 2.3.1p112, but I can't promise it.

slowjack2k
  • 2,566
  • 1
  • 15
  • 23